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Abstract. After some excitement generated by recently suggested public key ex- 
change protocols due to Anshel-Anshel-Goldfeld and Ko-Lee et al., it is a prevalent 
opinion now that the conjugacy search problem is unlikely to provide sufficient level 
of security if a braid group is used as the platform. In this paper we address the 
following questions: (1) whether choosing a different group, or a class of groups, 
can remedy the situation; (2) whether some other "hard" problem from combinato- 
rial group theory can be used, instead of the conjugacy search problem, in a public 
key exchange protocol. Another question that we address here, although somewhat 
vague, is likely to become a focus of the future research in public key cryptography 
based on symbolic computation: (3) whether one can efficiently disguise an element 
of a given group (or a semigroup) by using defining relations. 
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1. Introduction 

One of the possible generalizations of the discrete logarithm problem to arbitrary 
groups is the so-called conjugacy search problem: given two elements a, b of a group 
G and the information that a x = b for some x 6 G, find at least one particular 
element x like that. Here a x stands for sax -1 . The (alleged) computational difficulty 
of this problem in some particular groups (namely, in braid groups) has been used 
in several group based cryptosystems, most notably in ^ and ^B]- However, after 
some initial excitement (which has even resulted in naming a new area of "braid group 
cryptography" — see (HJ, [I]), it seems now that the conjugacy search problem in a 
braid group cannot provide sufficient level of security; see [T8] for explanations. 

l 
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Therefore, one faces the following two natural questions: 

Question 1. Is there a group, or a class of groups, where the public key exchange 
protocol suggested in would be secure enough to be used in real-life applications? 

Question 2. Is there another "hard" problem in combinatorial group theory that can 
be used, instead of the conjugacy search problem, in a public key exchange protocol? 

Without a positive answer to at least one of these questions, it is unlikely that 
combinatorial group theory will have a significant impact on public key cryptography, 
which is now dominated by methods and ideas from number theory. 

We point out one more question, which has not been getting sufficient attention so 
far, but is likely to become a focus of the future research in public key cryptography 
based on symbolic computation: 

Question 3. Can one efficiently disguise an element of a given group (or a semigroup) 
by using defining relations? 

Disguising an element before transmission is sometimes called "diffusion" — see e.g. 
[Sj. The importance of this is rather obvious: if, for example, one transmits a conjugate 
xax~ l of a public element a "as is", i.e., without diffusion, then the opponent can 
determine the private element x just by inspection. Similar problem arises in any other 
public key exchange protocol. In protocols based on ideas from number theory, the 
diffusion is usually provided "automatically" , due to various properties of the decimal 
or other numerical system that is used. For instance, in the product 7- 3=21, the factors 
7 and 3 cannot be determined just by inspection; this is provided simply by the way we 
multiply integers in the decimal system, or, equivalently, by the existence of a simple 
"normal form" for integers. 

In abstract groups, we usually do not have this facility. In fact, in an abstract group 
(or a semigroup), the result of multiplication is simply concatenation: a-b = ab, i.e., an 
extra effort is always required to disguise factors in a product. This is why a diffusion 
mechanism is of paramount importance in any public key exchange protocol based on 
symbolic computation. 

We note here that recent work of Myasnikov and Ushakov makes it appear likely 
that, speaking somewhat informally, in a "generic" group, the amount of work needed 
to disguise a "generic" element by using defining relations is about the same as needed 
to recover an element from its disguised form. This, of course, is unacceptable in 
cryptographic applications. It seems that the difficulty in disguising an element of a 
group (or a semigroup) by using defining relations might be a major obstacle for using 
symbolic computation in public key cryptography, and the problem of diffusion will 
therefore take the center stage in future research. 

In this paper, we contribute toward a solution of this problem in Section[3by breaking 
down defining relations of a group into "small pieces" . More formally, we replace a given 
group by an isomorphic group where all relators have length at most 3. Intuitively, 
diffusion should be easier to achieve in groups with shorter defining relations, so we 
hope that our idea can be useful. 
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As far as other questions are concerned, we have to say up front that, in our opinion, 
Question 1 has a smaller chance for a positive answer, and it is unlikely that the 
conjugacy search problem will be used in real-life implementations. Nevertheless, we 
study Question 1 here in Section El by exploring the idea of using random groups from a 
sufficiently large class of groups instead of a single group. Technically, braid groups, too, 
are a class of groups, but this class is too narrow in the sense that, informally speaking, 
any (meaningful) algorithm that works for a particular group B n ,n > 5, would also 
work for B m for any m > 5. We may call such a class of groups "algorithmically 
homogeneous". Here we draw attention to a more diverse class of small cancellation 
groups that satisfy small cancellation conditions C(4), T(4), but not C"(g) (see |14j). 
The latter is needed to try to avoid hyperbolic groups (all finitely presented C"(g) 
groups are hyperbolic), where the conjugacy search problem can be solved very quickly 
(see ^0] arid for discussion). 

In the class of groups with small cancellation conditions C(4) and T(4), the word 
problem is solvable in quadratic time (see [1 41 Theorem V.6.3]), which meets the neces- 
sary condition for an efficient common key extraction by authorized parties. We note in 
passing that the existence of a unique normal form for elements of a particular group 
G is not necessary for common key extraction, as observed in 0. If Alice and Bob 
have arrived at a point where Alice has an element, say, u, and Bob has an element v 
such that u = v in G, then they can establish a common key as follows. Alice chooses, 
privately, a finite binary sequence b\, &2, which is going to be her common secret key 
with Bob. She then transmits a sequence of group elements ui, U2, ■ ■■ such that m = u 
in G if and only if 6, = 1. Bob recovers the sequence b\, &2, ■■■ by comparing u±, u%, ... 
to his v. 

We note that there is no known polynomial time algorithm for solving the conjugacy 
search problem in an arbitrary group with small cancellation conditions C(4) and T(4). 

In Section |2J we consider a different problem from combinatorial group theory that 
can be used in a public key exchange protocol. This is yet another generalization of the 
discrete logarithm problem. Given a group G with the semigroup of endomorphisms 
End G, suppose there are two subsemigroups, A C End G and B C End G, such that 
for any a £ A and [3 € B, one has a(3 = (3a. Let w S G be a public element. Then 
the key exchange protocol is quite standard: Alice chooses, privately, some a € A and 
sends a(w) to Bob. Bob chooses some (3 £ B and sends (3(w) to Alice. Since af3 = f3a, 
both end up with a common private key a((3(w)) = (3(a(w)). 

The point is, of course, in selecting a platform group G and semigroups A, B C End G 
wisely, so that the corresponding key exchange protocol is both secure and efficient. 
One special case of such arrangement appears in ^Hl, where G is a braid group B n , and 
A, B consist of inner automorphisms (i.e., conjugations). This arrangement however 
makes the cryptosystem vulnerable to so-called "length based" attacks (see e.g. 0,0, 
0) because applying a generic automorphism to a generic element of a group tends to 
increase the length of (the normal form of) this element. To avoid attacks of this kind, 
we suggest here using non-injective endomorphisms; the effect of such an endomorphism 
on the length of an element is no longer predictable. 
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Again, in Section^ we suggest using a large class of groups instead of a fixed group 
and selecting a random group from this class every time one wants to initiate a public 
key exchange protocol. A particular class of groups that we consider here is the class 
of Artin groups of extra large type. Groups in this class are known to be automatic 
|17j . which implies, in particular, that the word problem in any group from this class 
is solvable in quadratic time. Further details are given in Sectional 

Finally, we note that, as a further generalization, one can use arbitrary well-defined 
mappings a, [3 (not necessarily endomorphisms) of a group G in the above context. A 
simple example of that kind was given in ^2j; see also our Section [2j 

2. Algebraic public-key cryptographic systems 

The central requirement for an operational public- key cryptographic system (PKC) 
is a one-way function] in theory, it is the security core in the development and imple- 
mentation of public-key cryptographic protocols. Let S and T be two sets. In essence, 
a one-way function is a feasibly computable function / : S — > T such that given the 
image y = f(x), it is computationally infeasible to determine a preimage x £ S. 

For an algebraic characterization of a one-way function, we assume S and T to be 
associative algebraic structures with a single binary operation, e.g., semigroups. We 
call these structures platforms when used in the context of cryptography. 

Let the pair (X; R) be a presentation of a semigroup S, where X = {x\, X2, . . .} is a 
set of generators of S and R = {r\ = r[,r2 = r' 2 , ■ ■ ■ } a set of defining relations. The 
full transformation semigroup of S, denoted by T$, is the set of all functions S — > S 
closed under composition, see e.g. [Sj. A function t £ T$ is well-defined in S if for any 
w,w' £ S such that w = w', one has t(w) = t(w'). 

The set of well-defined functions from T$ can be utilized to deliver diffusion in S, 
i.e., to dissemble an element of the platform S before transmission by using its defining 
relations. If a subset T C 7g consisting of well-defined functions acts on S, say, 

/ : S x T — ► S described by / : (w, t) i — > t(w), 

such that recovering w from t{w) = f(w,t) is computationally infeasible, then the 
action / satisfies the principal requirement of a one-way function. 

A particular example of such a subset T C Tg would be EndS, the set (which is 
actually a monoid) of endomorphisms of S. Let G be an arbitrary semigroup and let 
p : G — > End S be a morphism. Then p determines an action of S by its image (denoted 
by Imp), i.e., g i— > (t i— > t(w)), for g E G and t € EndS. The function 

/ : S x T — ► S given by (w, t) i — ► t(w) = w 

explicitly defines the action, where T = Im p. If the search for a t S T such that 
f(w,t) = w' is computationally infeasible, then the action / is an intrinsic one-way 
function inherited by S via a semigroup T. 

Therefore, an algebraic characterization of a one-way function can be determined 
through an action, as specified above, by algebraic properties of S and T. Without loss 
of generality, given feasibly computable algebraic structures S and T, if there exists an 
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action / : S x T — > S such that / is a one-way, well-defined function for fixed values of 
T, then the elements of S can be manipulated for public-key encryption. 

Definition 1. An algebraic public-key cryptographic system is a tuple (S, T, /; TC, h), 

satisfying the following properties: 

• S and T are feasibly computable algebraic structures (e.g. semigroups). 

• / : S x T — > S is an action that is one-way and well-defined for fixed values of 
T: given a private t 6 T and any public w E S, it is infeasible to determine t 
from f(w, t), and for any w' E S such that w' = w, one has f(w',t) = f(w,t). 

• TL is a set of auxiliary feasibly computable algebraic structures defined for specific 
protocols (i.e. key exchange, decryption, etc). 

• h : X xY — > X is an auxiliary action (defined for specific protocols), where X 
and Y are one of the algebraic structures S,T, or H E 7i. 

Let us now assume S to be a feasibly computable group G. With the developed 
analysis, we interpret the standard theory of PKC as arising from a permutation rep- 
resentation p : G — > Sq, where Sq Q Tg is the symmetric group of G, such that 
p : x i— > x p and Imp is a subgroup of the group of automorphisms of G, denoted by 
AutG. Since the elements x p G Imp are automorphisms, x p acts by permuting words 
g € G with the capability of providing cryptographic confusion and diffusion (see e.g. 

If for every x p E Imp the recovery of g from g' = x p (g) is infeasible, then the 
representation p determines a one-way function; namely, the group action 

f : G x N — > G defined by {g,x p )t — > x p (g) = g' , 

where N is a subgroup of Aut G. Given g' = f(g, x p ), it should be noted that it suffices 
to "search" for (x p )~ 1 in AutG to determine g E G; this establishes an automorphism 
search problem for G. 

Definition 2. Let F(X) be the free group with basis X and let {X; R) be a presentation 
ofG. 

• Given an arbitrary word g E G, the word problem (WP) is the algorithmic 
problem of deciding whether or not g = 1. 

• Given a word g E G such that g = 1, the word search problem (WSP) is the 
algorithmic problem of "searching" for an explicit expression of g as a product 
U\ r^u^ 1 ■ ■ ■ u t r^u^ 1 = g, where Ui E F{X), T{ E R, and a E { ±1 }. 

• Two words g,h E G are conjugate if there is an x E G such that xgx^ 1 = h. 
The algorithmic problem of deciding whether or not two arbitrary words g,h E G 
are conjugate is the the conjugacy problem ( CP). 

• Given two conjugate words g,h E G, the conjugacy search problem ( CSP) is the 
algorithmic problem of "searching" for an x E G satisfying xgx^ 1 = h. 

Example 1. The braid group on n strands, denoted by B n , with presentation 

B n = (cri, . . . , cr n _i ; UiUjUi = 0-jcno-j for \i - j\ = 1, UiOj = o^Oi for > 2 } , 



6 



V. SHPILRAIN AND G. ZAPATA 



has the word problem solvable in quadratic time. The braid group B n is a suggested 
group-theoretic platform for the implementation of the conjugacy search problem, see 

El, ESI- 

We note that the group AutB n is equal to {InnB n , 77), where InnB n is the group 
of inner automorphisms of B n and rj : a 1— > o" -1 , for any a G B n . Thus, the general au- 
tomorphism search problem for B n basically reduces to the inner-automorphism search 
problem for B n , i.e., to the conjugacy search problem for braid groups. 

3. Commuting Action Key Exchange (CAKE) 

To change the standard methodology of working implicitly just with the automor- 
phism group of G, we generalize an action / : G x Aut G — > G, using Definition to 
a well-defined action on an algebraic structure S by an algebraic structure N for fixed 
values of N. To manifest the advantage of the abstraction, we construct an algebraic 
PKC for the implementation of a key exchange protocol based on a generalization of 
the discrete logarithm problem: 

Definition 3 (Commuting Action Key Exchange, CAKE). Select the platforms S and 
T to establish an algebraic PKC tuple (S, T, /; Ti), where the auxiliary setri is {A, B C 
T\ Va G A V/3 G B a {3 = (3 a}. The key exchange protocol is set for two entities, 
Alice and Bob. 

Protocol: 

(1) The semigroup S, a word w G S, and a generating set for each semigroup in TL 
are made public. 

(2) Alice chooses a private word a G A satisfying f(w,a) 7^ 1 and transmits 
f(w,a) = wa to Bob. 

(3) Bob chooses a private word (3 G B satisfying f(w,(3) 7^ 1 and transmits 
f(w,(3) = w[3 to Alice. 

(4) Alice computes f(w(3,a) = w f3a and Bob computes f(wa,(3) = wa(3. Both 
entities establish w af3 = w (3a as the common secret key. 

Example 2. The Diffie-Hellman protocol becomes an instance of the CAKE proto- 
col if the multiplicative group of integers modulo a prime number and its standard 
automorphism group are the chosen platforms. 

A simple, well-studied associative algebraic system S with a single binary operation 
and a commutative semigroup T C End S generated by a large set of elements are good 
potential candidates for the implementation of CAKE. In this case, both a and (3 are 
endomorphisms of S, and a((3(w)) = (3{a{w)) becomes the common key. Similarly, one 
can also use a commutative subsemigroup T of the full transformation semigroup Tg 
containing well-defined functions a, (3 (not necessarily endomorphisms) of S. A basic 
example of that kind was given in • 

Example 3. Let A, B C S be two subsemigroups of a semigroup S such that ah = ba 
for any a £ A, b G B. Given a public element w G 5, Alice computes w 1— ► a\wa2, 
where 011,02 G A are her private elements, and transmits this new element to Bob (after 
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disguising it somehow). Similarly, Bob transmits w h- > b\wb2, where 61,62 £ -B are his 
private elements. The common key now is a\b\wb2a2 = bia\wa2b2- 

Note that if A, B C S are groups, the protocol of Ko, Lee et. al. JH] can also be 
obtained as a special case of the above protocol where 02 = a^ 1 and 62 = b7 . 



Let i5 be the class of braid groups. A generic element B n from this class can be 
chosen from B simply by randomly selecting a natural number for the variable n. For 
general applications, once a choice for a braid group B n is made, an algorithm that 
applies to this group also applies to other braid groups. Informally speaking, the braid 
groups are "algorithmically homogeneous" and this can be a drawback for cryptographic 
applications, as stated in the Introduction. In the following sections, we address this 
issue by considering wider classes of groups. 

In particular, we introduce additional randomness to an algebraic PKC protocol, 
requiring that its platforms be selected at random from a wider class of groups at the 
beginning of the generation of keys. Moreover, isomorphic groups from a wider class 
provide a mechanism for diffusion, as examined in the last section of the paper. The use 
of isomorphic groups and random selections from a class of groups is a familiar scenario 
for cryptosystems; both in the RSA and in the discrete logarithm cryptosystems, primes 
are randomly selected for application, i.e., a multiplicative group of integers and a 
subgroup of its automorphism group are randomly selected. 

To exemplify these ideas, we first consider the class of Artin groups of extra large 
type for the implementation of the Commuting Action Key Exchange protocol, via 
endomorphisms. Second, despite our belief that Question 1 in the Introduction is likely 
to have a negative answer, we give the conjugacy search problem (CSP) a benefit of 
the doubt; we consider the class of groups satisfying small cancellation conditions C(4) 
and T(4), but not C"(g) (to try to avoid hyperbolic groups), for the implementation of 
a cryptosystem relying on CSP. Furthermore, these classes of groups offer additional 
properties that can be utilized in other algebraic PKC protocols. 



where n > 2 and r(gi,gj) = 1 is a relator involving two generators. Given GT there is 
an associated labeled graph T and vice versa. The vertices of the graph T are labeled 
by the generators of GT. Any two vertices g%,gj G T are connected by an edge if there 
is a relation r(gi, gj) £ Gr between the corresponding generators; in other words, edges 
are labeled by relations. 

Example 4. An Artin group AT is a group with presentation 

AT = ( al, . . . , a n ; Hij = Hji for 1 < i < j < n) ) , where = a>i dj Oj . . . 



4. Classes of groups vs. particular groups 



5. The class of Artin groups of extra large type 



Let Gr be a group with presentation 

GT = (g 1 , . . . ,g n ; r(g i ,g j ) = 1 (for 1 < i, j < n and i / j) ) 
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and rriij = m™. Artin groups arise as generalizations of braid groups, see e.g. [2 a . For 
an Artin group AT, the associated labeled graph T has no multiple edges or loops. The 
vertices aj of T are the generators of the Artin group. Any two vertices ai,aj £ T are 
connected by an edge, labeled with the integer rriij , associated to the relation = Uji 
(between the corresponding generators a, L ,aj E AT). 

In general, automorphisms (or endomorphisms) of the graph T induce automor- 
phisms (or endomorphisms) of the group GT. Therefore, the graph associated to GT 
gives us a direct procedure for the construction of a semigroup T C EndGT that can 
contain a large pool of commuting elements. This is a necessary condition for common 
key extraction by legitimate parties in the application of the Commuting Action Key 
Exchange protocol (CAKE, Definition |3J) . To construct the corresponding semigroup 
T with sufficiently many endomorphisms, a graph T can be chosen to be a tree. The 
procedure implemented for the Ko-Lee protocol can then be utilized to provide for 
commuting endomorphisms, i.e., one splits the vertices of the graph into two disjoint 
sets such that each of the entities, Alice and Bob, select endomorphisms which act on 
their own set. 

Example 5. The relations of the braid groups B n involve two generators. The corre- 
sponding graph associated to B n is just a simple path, and it has only one automor- 
phism that induces the following automorphism of B n : o~i i— > c n _j, which happens to 
be an inner automorphism of B n . For other GT groups, however, their corresponding 
graphs are more complex, and it is easy to arrange for a large semigroup (or a group) 
T C EndGT of endomorphisms (or automorphisms). 

Artin groups ^4r with the property that all the integers rriij > 4 are called Artin 
groups of extra large type. A tree T can be associated to an Artin group of extra 
large type, providing a direct procedure for constructing a semigroup T C End AT. 
Moreover, Artin groups of extra large type are automatic thus the word problem 
for groups in this class can be solved in quadratic time, and by a result of the 
word problem is solvable in linear time on average. Therefore, we can suggest the class 
of Artin groups of extra large type as platforms for CAKE. 

5.1. Key exchange protocol based on Artin groups. In this section we present 
the class of Artin groups of extra large type as an implementable class for CAKE. 
Key generation: Randomly select a finite rooted tree T with I levels such that the 
degree of the root is equal to 2, and the degrees of all other vertices are between 2 and 
an integer m, with the exception of the end vertices whose degrees are 1. Associate to 
the tree T an Artin group AT of extra large type by labelling each vertex of T with a 
letter and numbering an edge by a (random) rriij > 4 if there are two corresponding 
vertices and aj incident to this edge. 

Let a& be the root of the tree and let To = T — be the subgraph obtained by 
deleting the root a^. The graph Tq consists of two finite disjoint subtrees, say, Ta and 
r#, that are spliced by the root a^. The associated subgroups are AT a and ATb- 

The sets of graph endomorphisms of Ta and Tb induce the submonoid of endo- 
morphisms End AT a x End ATb ^ End AT such that for any a € End AT a and 
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P G EndAT B both a and (3 commute: a/3 = (5a. In order for both submonoids 
to act non-trivially on a public word w E AT, the word must involve some generat- 
ing elements ai,...,a p € AT a and some generating elements b±,...,bq € ATb, i.e., 
w = w(a 1 ,...,a p , bi,...,b q ). 

CAKE for Artin groups of extra large type. Choose a random Artin group 
AT of extra large type to be the platform S for the CAKE tuple (S, T, /; Tt), and 
let T = End AT A x End AT B . Define H to be the set {End AT A , End AT B }. The 
protocol is set for Alice and Bob. 

Protocol: 

(1) The random group AT, a word w = w{a\, . . . ,a p , bi, . . . , b q ) S AT and a gener- 
ating set for each element of Ti are made public. 

(2) Alice chooses a private word a € End AT A and transmits f(w, a) = w a to Bob. 

(3) Bob chooses a private word (5 € End AT B and transmits f(w, (3) = to Alice. 

(4) Alice computes f(w^,a) = w@ a and Bob computes f(w a ,j3) = w a/3 . Alice 
and Bob set 

= w ? a 

as their common secret key. 

Remark. By introducing randomness in the selection of the group AT, we make the 
present approach dynamic. The class of Artin groups of extra large type seems to be 
less "algorithmically homogeneous" than, say, the class of braid groups. In general, 
algorithmic non-homogeneity can disrupt general algorithmic methods an opponent 
might obtain for the purpose of acquiring a private key. For example, a typical endo- 
morphism (non-automorphism) for AT would be merging two terminal children vertices 
of the same parent, "confusing" the length of the word w. As a result, the effect of 
such an endomorphism on the length of a generic element of the group is no longer 
predictable, placing length attacks in question. 

6. A CLASS OF SMALL CANCELLATION GROUPS 

In this section, we follow Lyndon and Schupp ^3]. For facts about small cancellation 
theory the reader is referred to this source for further reading. Let F(X) be the free 
group with a basis X = {xi\i S I}, where I is an indexing set. Let € {±1}, where 
1 < k < n. A word w(x\, . . . , x n ) = x^x*? ■ ■ ■ x-™ in F(X), with all Xi k not necessarily 

distinct, is a reduced X-word if x e - k ^ x- tk+1 for 1 < k < n — 1. In addition, the word 

w(xi, . . . ,x n ) is cyclically reduced if it is a reduced A-word and x|J / x~^ n . A set 
R containing cyclically reduced words from F(X) is symmetrized if it is closed under 
cyclic permutations and taking inverses. 

Let G be a group with presentation (X; R). A non-empty word u € F{X) is called a 
piece if there are two distinct relators r% , ri G R of G such that n = uv\ and r2 = UV2 ■ 
The group G belongs to the class C{p) if no element of R is a product of fewer than p 
pieces. Also, the group G belongs to the class C'(X) if for every r G R such that r = uv 
and u is a piece, one has \u\ < X\r\. 
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In particular, if G belongs to the class C"(g), then Dehn's algorithm solves the word 
problem for G. Thus, if G is a finitely presented group from the class C'(^), then it is 
hyperbolic. 

Example 6. Let (xi,X2,X3 ; x\xix\%2 1 = 1, x^x^x^x^ = 1) be a presentation of a 
group G. Now, xf 2 , x^ 1 , x^ 2 , xf 1 , xf 2 , (x2X^) ±1 and (X2X3 1 ) ±1 are the pieces of G, 
and every relator is a product of four of these pieces. Therefore, the group G is in the 
class of C(4) groups. However, G is not in the class of C"(g); for i = 1, 2 and 3, the 
pieces xf l , satisfy the property (x^ 1 ) = ^\xiX2X3x\x 2 ~ 1 \ and {xf 1 ] = i|x 2 X3XiX4X E T 1 |. 

The solution of the conjugacy problem (CP) is irrelevant for the implementation of 
a cryptographic protocol utilizing the computational difficulty of the conjugacy search 
problem (CSP). However, reasonable evidence of a potentially computationally hard 
CSP is provided if there is no known polynomial time algorithm for CP. 

For a class of small cancellation groups possessing the property of "no known poly- 
nomial time algorithm for CP", we need one more condition. A group G with finite 
presentation (X; R) belongs to the class T{q) for a natural number q if for any se- 
quence ri,...,r n £ R, with 3 < n < q and r j 7^ r r, 1 , at least one of the products 
rir2, . . . , r n _ir n , r n r\ is cyclically reduced without cancellation. 

A group G with presentation ( X \ R } is said to be a small cancellation group of type 
C{p)-T(q) if it belongs to the classes C{p) and T(q). By Theorem V.6.3 of the 
word problem is solvable in the class of small cancellation groups of type C(4)-T(4). 
If hyperbolic groups C'(^) are avoided, then, generally, there is no known polynomial 
time algorithm for solving the conjugacy search problem for groups in this class (even 
though the conjugacy problem is solvable by 1]U Theorem V.7.6]). 

Thus, in this class, legitimate entities can choose a random group and implement an 
algebraic PKC protocol, e.g. CAKE, that relies on the hardness of the conjugacy search 
problem or a harder problem that can potentially arise (as we indicated in Sections [2 
and 01). 

Example 7. Consider the presentation (xi,X2,X3 ; x 2 X2X 2 x 2 ~ 1 , x^xsxfxg 1 ) for G, the 
group of Example H3 For any r%, r2 and r^, no two of which are inverse of one another, 
from the symmetrized set {xfx2X 2 x 2 ~ 1 , x^x^xfx^ 1 }, no cancellation is possible in at 
least one of the words r±r2, and r^ri. Therefore, G belongs to the class of T(4) 
and C(4) groups, but not the class of C'(^) groups. 

7. Diffusion 

In this section, we offer a method that can, in our opinion, substantially enhance the 
"diffusion", i.e., the process of disguising an element of a given group by using defining 
relations. This method is not brand new, but it was used before in a different context, 
namely, in attempts to attack the Andrews-Curtis conjecture, a notoriously difficult 
problem in low-dimensional topology and combinatorial group theory (see e.g. |15j). 

The idea is to break down defining relations of a group into "small pieces". More 
formally, we replace a given group G by an isomorphic group where all relators have 
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length at most 3. Intuitively, diffusion should be easier to achieve in groups with shorter 
defining relations, so we hope that our idea is useful. 

The procedure itself is quite simple. Let G have a presentation (x±, ...,x n ;ri, ...,r&) 
in terms of generators x±, ...,x n and defining relations r±, rj.. We are going to obtain 
a different presentation for G by using Tietze transformations (see e.g. ^1]); these are 
elementary isomorphism-preserving operations on presentations of groups. 

Specifically, let, say, r\ = XiXjU, 1 < i, j < n. We introduce a new genera- 
tor x n+ \ and a new relator r^+i = x~,±XiXj. The group with the presentation 
(x\, x n , x n+ \\ ri, rfc, rfc +1 ) is obviously isomorphic to G. Now if we replace r\ 
with r[ = x n+ \u, then the presentation (x%, x n , x n +i; r[, tk+i) will again de- 
fine a group isomorphic to G, but now the length of one of the defining relations (ri) 
has decreased by 1. Continuing in this manner, we can eventually obtain a presentation 
where all relators have length at most 3, at the expense of introducing more generators. 

Apparently, relators of length at most 3 can provide a very good diffusion, but the 
natural question now is: why cannot the opponent convert the new presentation back 
to the original one and take it from there? This, indeed, may work with some of the 
protocols, but let us have a look at the situation where applying an endomorphism of 
a group to an element is involved. 

Suppose a group G' is isomorphic to a group G in the way described above. Let 
w' G G', and let p be an endomorphism of G' applied to w'. The opponent can convert 
w' and p>(w') to elements w and u, respectively, of the group G, by using relations of 
the form x s = xf^xf^, where x s are "new" generators and Xi ± ,Xi 2 are "old" generators. 
Then the opponent may try to find an endomorphism tp of G such that u = tf)(w) as 
follows. 

Suppose we know that p takes generators x\ of the group G' to some y^. An obvious 
way to "lift" p> to an endomorphism of G would be to convert y\ to yi 6 G (again, by 
using relations of the form x s = xf^xf^), then let ip be the mapping of G that takes 
Xi to yi. 

This however may not work (and typically will not work) because the endomorphism 
if, restricted to the "old" generators (i.e., to the generators of G) may not respect the 
original relations of the group G. We can therefore have an element u S G such that 
ip(w) = u in the group G, but p(w') ^ u in the group G' . 

The only way to properly "lift" tp to an endomorphism of G would be to combine 
it with an isomorphism / : G' — > G, but the latter is by no means easy to explicitly 
compute, even if the whole chain of Tietze transformations is known to the opponent, 
which does not have to be the case. Incidentally, neither has the original group G to 
be known to the public. 
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